Glpi Project

GLPI is a free asset and IT management software package

CVE-2025-25192 6.5 - Medium - February 25, 2025

GLPI is a free asset and IT management software package. Prior to version 10.0.18, a low privileged user can enable debug mode and access sensitive information. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.

Information Disclosure

GLPI is a free asset and IT management software package

CVE-2025-23046 7.5 - High - February 25, 2025

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.18 contains a patch. As a workaround, one may disable any "Mail servers" authentication provider configured to use an Oauth connection provided by the OauthIMAP plugin.

Incorrect Implementation of Authentication Algorithm

GLPI is a free asset and IT management software package

CVE-2025-23024 4.3 - Medium - February 25, 2025

GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.

AuthZ

GLPI is a free asset and IT management software package

CVE-2025-21627 6.1 - Medium - February 25, 2025

GLPI is a free asset and IT management software package. In versions prior to 10.0.18, a malicious link can be crafted to perform a reflected XSS attack on the search page. If the anonymous ticket creation is enabled, this attack can be performed by an unauthenticated user. Version 10.0.18 contains a fix for the issue.

XSS

GLPI is a free asset and IT management software package

CVE-2025-21626 6.5 - Medium - February 25, 2025

GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the `status.php` file, restrict its access, or remove any sensitive values from the `name` field of the active LDAP directories, mail servers authentication providers and mail receivers.

Information Disclosure

A vulnerability was found in GLPI up to 10.0.17

CVE-2024-11955 6.1 - Medium - February 25, 2025

A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.0.18 is able to address this issue. It is recommended to upgrade the affected component.

Open Redirect

GLPI is a free asset and IT management software package

CVE-2024-50339 5.3 - Medium - December 12, 2024

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.

Session Fixation

GLPI User Account Deletion Vulnerability

CVE-2024-48912 8.1 - High - December 11, 2024

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue.

Authorization

GLPI Privilege Escalation Vulnerability in Notification System

CVE-2024-47761 7.2 - High - December 11, 2024

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.

authentification

GLPI API Privilege Escalation Vulnerability

CVE-2024-47760 8.8 - High - December 11, 2024

GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.

Authorization

GLPI API Privilege Escalation Vulnerability

CVE-2024-47758 8.8 - High - December 11, 2024

GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue.

Authorization

GLPI is a free asset and IT management software package

CVE-2024-43416 5.3 - Medium - November 18, 2024

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.

Information Disclosure

GLPI API Document Access Control Vulnerability

CVE-2024-38370 7.5 - High - November 15, 2024

GLPI is a free asset and IT management software package. Starting in 9.2.0 and prior to 11.0.0, it is possible to download a document from the API without appropriate rights. Upgrade to 10.0.16.

AuthZ

GLPI Access Control Bypass and Stored XSS Vulnerability

CVE-2024-45611 5.4 - Medium - November 15, 2024

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can bypass the access control policy to create a private RSS feed attached to another user account and use a malicious payload to triggger a stored XSS. Upgrade to 10.0.17.

XSS

GLPI Cable Form Reflected XSS Vulnerability

CVE-2024-45610 6.1 - Medium - November 15, 2024

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Cable form. Upgrade to 10.0.17.

XSS

GLPI Reflected XSS Vulnerability in Reports Pages

CVE-2024-45609 6.1 - Medium - November 15, 2024

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the reports pages. Upgrade to 10.0.17.

XSS

SQL Injection Vulnerability in GLPI User Preferences

CVE-2024-45608 8.8 - High - November 15, 2024

GLPI is a free asset and IT management software package. An authenticated user can perfom a SQL injection by changing its preferences. Upgrade to 10.0.17.

SQL Injection

GLPI Reflected Cross-Site Scripting (XSS) Vulnerability in Technician Interface

CVE-2024-43418 6.1 - Medium - November 15, 2024

GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.

XSS

GLPI Software Form Reflected XSS Vulnerability

CVE-2024-43417 6.1 - Medium - November 15, 2024

GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability located in the Software form. Upgrade to 10.0.17.

XSS

SQL Injection Vulnerability in GLPI Ticket Form

CVE-2024-41679 8.8 - High - November 15, 2024

GLPI is a free asset and IT management software package. An authenticated user can exploit a SQL injection vulnerability from the ticket form. Upgrade to 10.0.17.

SQL Injection

GLPI SVG File Script Execution Vulnerability

CVE-2024-47759 4.8 - Medium - November 15, 2024

GLPI is a free Asset and IT management software package. An technician can upload a SVG containing a malicious script. The script will then be executed when any user will try to see the document contents. Upgrade to 10.0.17.

XSS

GLPI Reflected Cross-Site Scripting (XSS) Vulnerability in User Interface

CVE-2024-41678 6.1 - Medium - November 15, 2024

GLPI is a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician in order to exploit a reflected XSS vulnerability. Upgrade to 10.0.17.

XSS

GLPI SQL Injection Vulnerability in User Account Management

CVE-2024-40638 8.8 - High - November 15, 2024

GLPI is a free asset and IT management software package. An authenticated user can exploit multiple SQL injection vulnerabilities. One of them can be used to alter another user account data and take control of it. Upgrade to 10.0.17.

SQL Injection

GLPI is an open-source asset and IT management software package

CVE-2024-37148 8.1 - High - July 10, 2024

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in some AJAX scripts to alter another user account data and take control of it. Upgrade to 10.0.16.

SQL Injection

GLPI is an open-source asset and IT management software package

CVE-2024-37149 8.8 - High - July 10, 2024

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. Upgrade to 10.0.16.

Code Injection

GLPI is an open-source asset and IT management software package

CVE-2024-37147 4.3 - Medium - July 10, 2024

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16.

GLPI is a Free Asset and IT Management Software package

CVE-2024-31456 6.5 - Medium - May 07, 2024

GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability from map search. This vulnerability is fixed in 10.0.15.

SQL Injection

GLPI is a Free Asset and IT Management Software package

CVE-2024-29889 8.1 - High - May 07, 2024

GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15.

SQL Injection

The GLPI Agent is a generic management agent

CVE-2024-28241 7.8 - High - April 25, 2024

The GLPI Agent is a generic management agent. Prior to version 1.7.2, a local user can modify GLPI-Agent code or used DLLs to modify agent logic and even gain higher privileges. Users should upgrade to GLPI-Agent 1.7.2 to receive a patch. As a workaround, use the default installation folder which involves installed folder is automatically secured by the system.

Improper Privilege Management

The GLPI Agent is a generic management agent

CVE-2024-28240 7.8 - High - April 25, 2024

The GLPI Agent is a generic management agent. A vulnerability that only affects GLPI-Agent installed on windows via MSI packaging can allow a local user to cause denial of agent service by replacing GLPI server url with a wrong url or disabling the service. Additionally, in the case the Deploy task is installed, a local malicious user can trigger privilege escalation configuring a malicious server providing its own deploy task payload. GLPI-Agent 1.7.2 contains a patch for this issue. As a workaround, edit GLPI-Agent related key under `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall` and add `SystemComponent` DWORD value setting it to `1` to hide GLPI-Agent from installed applications.

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing

CVE-2024-27914 6.1 - Medium - March 18, 2024

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An unauthenticated user can provide a malicious link to a GLPI administrator in order to exploit a reflected XSS vulnerability. The XSS will only trigger if the administrator navigates through the debug bar. This issue has been patched in version 10.0.13.

XSS

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing

CVE-2024-27104 4.8 - Medium - March 18, 2024

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. A user with rights to create and share dashboards can build a dashboard containing javascript code. Any user that will open this dashboard will be subject to an XSS attack. This issue has been patched in version 10.0.13.

XSS

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing

CVE-2024-27098 9.6 - Critical - March 18, 2024

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can execute a SSRF based attack using Arbitrary Object Instantiation. This issue has been patched in version 10.0.13.

SSRF

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing

CVE-2024-27096 6.5 - Medium - March 18, 2024

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has been patched in version 10.0.13.

SQL Injection

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing

CVE-2024-27937 4.3 - Medium - March 18, 2024

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version 10.0.13.

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing

CVE-2024-27930 6.5 - Medium - March 18, 2024

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can access sensitive fields data from items on which he has read access. This issue has been patched in version 10.0.13.

GLPI is a Free Asset and IT Management Software package

CVE-2024-23645 6.1 - Medium - February 01, 2024

GLPI is a Free Asset and IT Management Software package. A malicious URL can be used to execute XSS on reports pages. Upgrade to 10.0.12.

XSS

GLPI is a Free Asset and IT Management Software package

CVE-2023-51446 8.1 - High - February 01, 2024

GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to 10.0.12.

Injection

GLPI is a free asset and IT management software package

CVE-2023-46727 9.8 - Critical - December 13, 2023

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, GLPI inventory endpoint can be used to drive a SQL injection attack. Version 10.0.11 contains a patch for the issue. As a workaround, disable native inventory.

SQL Injection

GLPI is a free asset and IT management software package

CVE-2023-46726 9.8 - Critical - December 13, 2023

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, on PHP 7.4 only, the LDAP server configuration form can be used to execute arbitrary code previously uploaded as a GLPI document. Version 10.0.11 contains a patch for the issue.

Injection

GLPI is a free asset and IT management software package

CVE-2023-43813 8.8 - High - December 13, 2023

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.

SQL Injection

GLPI is a free asset and IT management software package

CVE-2023-42802 9.8 - Critical - November 02, 2023

GLPI is a free asset and IT management software package. Starting in version 10.0.7 and prior to version 10.0.10, an unverified object instantiation allows one to upload malicious PHP files to unwanted directories. Depending on web server configuration and available system libraries, malicious PHP files can then be executed through a web server request. Version 10.0.10 fixes this issue. As a workaround, remove write access on `/ajax` and `/front` files to the web server.

Unrestricted File Upload

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-42462 9.1 - Critical - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The document upload process can be diverted to delete some files. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

Unrestricted File Upload

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-42461 9.8 - Critical - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The ITIL actors input field from the Ticket form can be used to perform a SQL injection. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

SQL Injection

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-41888 5.4 - Medium - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. The lack of path filtering on the GLPI URL may allow an attacker to transmit a malicious URL of login page that can be used to attempt a phishing attack on user credentials. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

Directory traversal

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-41326 8.8 - High - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with stealing its account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-41324 8.8 - High - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user that have read access on users resource can steal accounts of other users. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-41323 5.3 - Medium - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An unauthenticated user can enumerate users logins. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-41322 8.8 - High - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A user with write access to another user can make requests to change the latter's password and then take control of their account. Users are advised to upgrade to version 10.0.10. There are no known work around for this vulnerability.

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-41321 6.5 - Medium - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. An API user can enumerate sensitive fields values on resources on which he has read access. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package

CVE-2023-41320 9.8 - Critical - September 27, 2023

GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. UI layout preferences management can be hijacked to lead to SQL injection. This injection can be use to takeover an administrator account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

SQL Injection

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing

CVE-2023-37278 9.1 - Critical - July 13, 2023

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An administrator can trigger SQL injection via dashboards administration. This vulnerability has been patched in version 10.0.9.

SQL Injection

GLPI is a free asset and IT management software package

CVE-2023-36808 9.8 - Critical - July 05, 2023

GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.

SQL Injection

GLPI is a free asset and IT management software package

CVE-2023-35940 7.5 - High - July 05, 2023

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a file allows an unauthenticated user to be able to access dashboards data. Version 10.0.8 contains a patch for this issue.

AuthZ

GLPI is a free asset and IT management software package

CVE-2023-35939 8.1 - High - July 05, 2023

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.8, an incorrect rights check on a on a file accessible by an authenticated user (or not for certain actions), allows a threat actor to interact, modify, or see Dashboard data. Version 10.0.8 contains a patch for this issue.

Authorization

GLPI is a free asset and IT management software package

CVE-2023-35924 9.8 - Critical - July 05, 2023

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.8, GLPI inventory endpoint can be used to drive a SQL injection attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native inventory.

SQL Injection

GLPI is a free asset and IT management software package

CVE-2023-34244 6.1 - Medium - July 05, 2023

GLPI is a free asset and IT management software package. Starting in version 9.4.0 and prior to version 10.0.8, a malicious link can be crafted by an unauthenticated user that can exploit a reflected XSS in case any authenticated user opens the crafted link. Users should upgrade to version 10.0.8 to receive a patch.

XSS

GLPI is a free asset and IT management software package

CVE-2023-34107 6.5 - Medium - July 05, 2023

GLPI is a free asset and IT management software package. Versions of the software starting with 9.2.0 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user, allows access to the view all KnowbaseItems. Version 10.0.8 has a patch for this issue.

Authorization

GLPI is a free asset and IT management software package

CVE-2023-34106 6.5 - Medium - July 05, 2023

GLPI is a free asset and IT management software package. Versions of the software starting with 0.68 and prior to 10.0.8 have an incorrect rights check on a on a file accessible by an authenticated user. This allows access to the list of all users and their personal information. Users should upgrade to version 10.0.8 to receive a patch.

Authorization

The GLPI Agent is a generic management agent

CVE-2023-34254 7.2 - High - June 23, 2023

The GLPI Agent is a generic management agent. Prior to version 1.5, if glpi-agent is running remoteinventory task against an Unix platform with ssh command, an administrator user on the remote can manage to inject a command in a specific workflow the agent would run with the privileges it uses. In the case, the agent is running with administration privileges, a malicious user could gain high privileges on the computer glpi-agent is running on. A malicious user could also disclose all remote accesses the agent is configured with for remoteinventory task. This vulnerability has been patched in glpi-agent 1.5.

Shell injection

The Cartography (aka positions) plugin before 6.0.1 for GLPI

CVE-2022-34128 9.8 - Critical - April 16, 2023

The Cartography (aka positions) plugin before 6.0.1 for GLPI allows remote code execution via PHP code in the POST data to front/upload.php.

Unrestricted File Upload

The Managentities plugin before 4.0.2 for GLPI

CVE-2022-34127 7.5 - High - April 16, 2023

The Managentities plugin before 4.0.2 for GLPI allows reading local files via directory traversal in the inc/cri.class.php file parameter.

Directory traversal

The Activity plugin before 3.1.1 for GLPI

CVE-2022-34126 7.5 - High - April 16, 2023

The Activity plugin before 3.1.1 for GLPI allows reading local files via directory traversal in the front/cra.send.php file parameter.

Directory traversal

front/icon.send.php in the CMDB plugin before 3.0.3 for GLPI

CVE-2022-34125 6.5 - Medium - April 16, 2023

front/icon.send.php in the CMDB plugin before 3.0.3 for GLPI allows attackers to gain read access to sensitive information via a _log/ pathname in the file parameter.

Information Disclosure

The Order GLPI plugin allows users to manage order management within GLPI

CVE-2023-29006 8.8 - High - April 05, 2023

The Order GLPI plugin allows users to manage order management within GLPI. Starting with version 1.8.0 and prior to versions 2.7.7 and 2.10.1, an authenticated user that has access to standard interface can craft an URL that can be used to execute a system command. Versions 2.7.7 and 2.10.1 contain a patch for this issue. As a workaround, delete the `ajax/dropdownContact.php` file from the plugin.

Marshaling, Unmarshaling

GLPI is a free asset and IT management software package

CVE-2023-28852 4.8 - Medium - April 05, 2023

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 9.5.13 and 10.0.7, a user with dashboard administration rights may hack the dashboard form to store malicious code that will be executed when other users will use the related dashboard. Versions 9.5.13 and 10.0.7 contain a patch for this issue.

XSS

GLPI is a free asset and IT management software package

CVE-2023-28849 5.4 - Medium - April 05, 2023

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.7, GLPI inventory endpoint can be used to drive a SQL injection attack. It can also be used to store malicious code that could be used to perform XSS attack. By default, GLPI inventory endpoint requires no authentication. Version 10.0.7 contains a patch for this issue. As a workaround, disable native inventory.

XSS

GLPI is a free asset and IT management software package

CVE-2023-28838 8.1 - High - April 05, 2023

GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, remove `Assistance > Statistics` and `Tools > Reports` read rights from every user.

SQL Injection

GLPI is a free asset and IT management software package

CVE-2023-28639 6.1 - Medium - April 05, 2023

GLPI is a free asset and IT management software package. Starting in version 0.85 and prior to versions 9.5.13 and 10.0.7, a malicious link can be crafted by an unauthenticated user. It will be able to exploit a reflected XSS in case any authenticated user opens the crafted link. This issue is fixed in versions 9.5.13 and 10.0.7.

XSS

GLPI is a free asset and IT management software package

CVE-2023-28636 4.8 - Medium - April 05, 2023

GLPI is a free asset and IT management software package. Starting in version 0.60 and prior to versions 9.5.13 and 10.0.7, a vulnerability allows an administrator to create a malicious external link. This issue is fixed in versions 9.5.13 and 10.0.7.

XSS

GLPI is a free asset and IT management software package

CVE-2023-28634 8.8 - High - April 05, 2023

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, a user who has the Technician profile could see and generate a Personal token for a Super-Admin. Using such token it is possible to negotiate a GLPI session and hijack the Super-Admin account, resulting in a Privilege Escalation. Versions 9.5.13 and 10.0.7 contain a patch for this issue.

AuthZ

GLPI is a free asset and IT management software package

CVE-2023-28633 5.4 - Medium - April 05, 2023

GLPI is a free asset and IT management software package. Starting in version 0.84 and prior to versions 9.5.13 and 10.0.7, usage of RSS feeds is subject to server-side request forgery (SSRF). In case the remote address is not a valid RSS feed, an RSS autodiscovery feature is triggered. This feature does not check safety or URLs. Versions 9.5.13 and 10.0.7 contain a patch for this issue.

SSRF

GLPI is a free asset and IT management software package

CVE-2023-28632 8.1 - High - April 05, 2023

GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emails of any user, and can therefore takeover another user account through the "forgotten password" feature. By modifying emails, the user can also receive sensitive data through GLPI notifications. Versions 9.5.13 and 10.0.7 contain a patch for this issue. As a workaround, account takeover can be prevented by deactivating all notifications related to `Forgotten password?` event. However, it will not prevent unauthorized modification of any user emails.

Improper Privilege Management

GLPI is a Free Asset and IT Management Software package

CVE-2023-22724 4.8 - Medium - January 26, 2023

GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. This issue is patched in 10.0.6.

XSS

GLPI is a Free Asset and IT Management Software package

CVE-2023-22722 6.1 - Medium - January 26, 2023

GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 are subject to Cross-site Scripting. An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the victim or exfiltrate session cookies. This issue is patched in version 10.0.6.

XSS

GLPI is a Free Asset and IT Management Software package

CVE-2023-22500 7.5 - High - January 26, 2023

GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6 are vulnerable to Incorrect Authorization. This vulnerability allow unauthorized access to inventory files. Thus, if anonymous access to FAQ is allowed, inventory files are accessbile by unauthenticated users. This issue is patched in version 10.0.6. As a workaround, disable native inventory and delete inventory files from server (default location is `files/_inventory`).

AuthZ

GLPI is a Free Asset and IT Management Software package

CVE-2023-22725 4.8 - Medium - January 26, 2023

GLPI is a Free Asset and IT Management Software package. Versions 0.6.0 and above, prior to 10.0.6 are vulnerable to Cross-site Scripting. This vulnerability allow for an administrator to create a malicious external link. This issue is patched in 10.0.6.

XSS

GLPI is a Free Asset and IT Management Software package

CVE-2023-23610 6.5 - Medium - January 26, 2023

GLPI is a Free Asset and IT Management Software package. Versions prior to 9.5.12 and 10.0.6 are vulnerable to Improper Privilege Management. Any user having access to the standard interface can export data of almost any GLPI item type, even those on which user is not allowed to access (including assets, tickets, users, ...). This issue is patched in 10.0.6.

Incorrect Permission Assignment for Critical Resource

GLPI is a Free Asset and IT Management Software package

CVE-2022-41941 4.8 - Medium - January 26, 2023

GLPI is a Free Asset and IT Management Software package. Versions 10.0.0 and above, prior to 10.0.6, are subject to Cross-site Scripting. An administrator may store malicious code in help links. This issue is patched in 10.0.6.

XSS

GLPI - Reports plugin for GLPI Reflected Cross-Site-Scripting (RXSS)

CVE-2022-39181 6.1 - Medium - November 17, 2022

GLPI - Reports plugin for GLPI Reflected Cross-Site-Scripting (RXSS). Type 1: Reflected XSS (or Non-Persistent) - The server reads data directly from the HTTP request and reflects it back in the HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply dangerous content to a vulnerable web application, which is then reflected back to the victim and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or emailed directly to the victim. URLs constructed in this manner constitute the core of many phishing schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. After the site reflects the attacker's content back to the victim, the content is executed by the victim's browser.

XSS

GLPI stands for Gestionnaire Libre de Parc Informatique

CVE-2022-39376 6.5 - Medium - November 03, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Users may be able to inject custom fields values in `mailto` links. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds.

Improper Input Validation

GLPI stands for Gestionnaire Libre de Parc Informatique

CVE-2022-39375 5.4 - Medium - November 03, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Users may be able to create a public RSS feed to inject malicious code in dashboards of other users. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds.

XSS

GLPI stands for Gestionnaire Libre de Parc Informatique

CVE-2022-39373 4.8 - Medium - November 03, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Administrator may store malicious code in entity name. This issue has been patched, please upgrade to version 10.0.4.

XSS

GLPI stands for Gestionnaire Libre de Parc Informatique

CVE-2022-39372 5.4 - Medium - November 03, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Authenticated users may store malicious code in their account information. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds.

XSS

GLPI stands for Gestionnaire Libre de Parc Informatique

CVE-2022-39371 5.4 - Medium - November 03, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Script related HTML tags in assets inventory information are not properly neutralized. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds.

XSS

GLPI stands for Gestionnaire Libre de Parc Informatique

CVE-2022-39370 4.3 - Medium - November 03, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Connected users may gain access to debug panel through the GLPI update script. This issue has been patched, please upgrade to 10.0.4. As a workaround, delete the `install/update.php` script.

GLPI stands for Gestionnaire Libre de Parc Informatique

CVE-2022-39277 4.8 - Medium - November 03, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. External links are not properly sanitized and can therefore be used for a Cross-Site Scripting (XSS) attack. This issue has been patched, please upgrade to GLPI 10.0.4. There are currently no known workarounds.

XSS

GLPI stands for Gestionnaire Libre de Parc Informatique

CVE-2022-39323 9.8 - Critical - November 03, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Time based attack using a SQL injection in api REST user_token. This issue has been patched, please upgrade to version 10.0.4. As a workaround, disable login with user_token on API Rest.

SQL Injection

GLPI stands for Gestionnaire Libre de Parc Informatique

CVE-2022-39276 5.3 - Medium - November 03, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or an external calendar in planning is subject to SSRF exploit. In case a remote script returns a redirect response, the redirect target URL is not checked against the URL allow list defined by administrator. This issue has been patched, please upgrade to 10.0.4. There are currently no known workarounds.

SSRF

GLPI stands for Gestionnaire Libre de Parc Informatique

CVE-2022-39262 4.8 - Medium - November 03, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package, GLPI administrator can define rich-text content to be displayed on login page. The displayed content is can contains malicious code that can be used to steal credentials. This issue has been patched, please upgrade to version 10.0.4.

XSS

GLPI stands for Gestionnaire Libre de Parc Informatique

CVE-2022-39234 8.8 - High - November 03, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package that provides ITIL Service Desk features, licenses tracking and software auditing. Deleted/deactivated user could continue to use their account as long as its cookie is valid. This issue has been patched, please upgrade to version 10.0.4. There are currently no known workarounds.

Insufficient Session Expiration

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2

CVE-2022-35914 9.8 - Critical - September 19, 2022

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.

Injection

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package

CVE-2022-35947 9.8 - Critical - September 14, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions have been found to be vulnerable to a SQL injection attack which an attacker could leverage to simulate an arbitrary user login. Users are advised to upgrade to version 10.0.3. Users unable to upgrade should disable the `Enable login with external token` API configuration.

SQL Injection

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package

CVE-2022-35946 6.5 - Medium - September 14, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In affected versions request input is not properly validated in the plugin controller and can be used to access low-level API of Plugin class. An attacker can, for instance, alter database data. Attacker must have "General setup" update rights to be able to perform this attack. Users are advised to upgrade to version 10.0.3. Users unable to upgrade should remove the `front/plugin.form.php` script.

SQL Injection

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package

CVE-2022-35945 6.1 - Medium - September 14, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Information associated to registration key are not properly escaped in registration key configuration page. They can be used to steal a GLPI administrator cookie. Users are advised to upgrade to 10.0.3. There are no known workarounds for this issue. ### Workarounds Do not use a registration key created by an untrusted person.

XSS

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package

CVE-2022-31187 5.4 - Medium - September 14, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Affected versions were found to not properly neutralize HTML tags in the global search context. Users are advised to upgrade to version 10.0.3 to resolve this issue. Users unable to upgrade should disable global search.

XSS

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package

CVE-2022-31143 5.3 - Medium - September 14, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. It was found that in affected versions there is an exposure of private information defined in setup of GLPI (like smtp or cas hosts). Note that passwords are not exposed. Users are advised to upgrade to version 10.0.3. There are no known workarounds for this issue.

Information Disclosure

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package

CVE-2022-36112 5.8 - Medium - September 14, 2022

GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. Usage of RSS feeds or extenal calendar in planning is subject to SSRF exploit. Server-side requests can be used to scan server port or services opened on GLPI server or its private network. Queries responses are not exposed to end-user (blind SSRF). Users are advised to upgrade to version 10.0.3 to resolve this issue. There are no known workarounds.

SSRF

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing

CVE-2022-31068 5.3 - Medium - June 28, 2022

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all GLPI instances with the native inventory used may leak sensitive information. The feature to get refused file is not authenticated. This issue has been addressed in version 10.0.2 and all affected users are advised to upgrade.

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing

CVE-2022-31061 9.8 - Critical - June 28, 2022

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit this vulnerability. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

SQL Injection